Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2485429yba; Fri, 10 May 2019 12:24:41 -0700 (PDT) X-Google-Smtp-Source: APXvYqyQODaOTmDKV4f8gWGhaC0cwdQF9fzIDOmGNdwP1zylaPRv6wXU8/wtLghip2LK3NiwYxrV X-Received: by 2002:a17:902:b210:: with SMTP id t16mr15272615plr.84.1557516281647; Fri, 10 May 2019 12:24:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557516281; cv=none; d=google.com; s=arc-20160816; b=wt8z3yYMpnWVS5qP/qGUxIw9HTIkksP84HR+rXx5jFJRgO/tyhI5ujzct/ppszLqld b08mtj6CKOlR+K4BCKORJEibIdYpqFGIWW1z5S14/XF3jxLmYSEq/zC9VaZzbuFjaENc Cq93HbILYNWJLSAi7CybtUV6E/k1no+fu8yycz7tIKpApkr2XA/mDdV0bdyy5Fqlq++t JugHtKc0WBiHlkk+YtSF0QmgmaLNeDMQqWwXtqUFc/QyvTF9h4kFdTpoNIj5tFOtQQaY 23oDDpaMOyASMxUkjtZiIqtRbg3muedyPdCp8g/XDk5sl1Kl/UDAZoh+wDGiU8SFyhXl USUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=RrxsmL3fnIGzgok46wpbjXUoE7nj2WttDzECgmXxv1Y=; b=wwKSFnKCyKHoSQzVaYmxp2TKpLXj5GVqvRiFlilsSYEbYZMiKlGz7+vQQvCeapQRXh OkXUvC/fnTQUoldG5kaSfSwGk11RpK3rhmQ80NlOJjaE/juvzqnuer4p4a9Vk96Tq/eR TWrGpINs66H65Ykehv8fKk1YPoOJnFrj6vzreZQhXqOX6HlCj3QBsxXYs5QkNE/0oOP5 W7y/ASl8EBNakO2vLieIYmaAfoBwE7sVZYVfMi7XTSjSp/6SbBtbuG3k8FY3NWjASMsy amzyxFP6X7Lc0nOw0LqrfSt7Hp/KZtgpipyVwYHXKrrOErquA3Xey77rqRNPY1udLcjc aaKw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0M9qAGAC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a16si5720563pgv.75.2019.05.10.12.24.22; Fri, 10 May 2019 12:24:41 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=0M9qAGAC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727957AbfEJTWt (ORCPT + 99 others); Fri, 10 May 2019 15:22:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:35886 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727694AbfEJTWt (ORCPT ); Fri, 10 May 2019 15:22:49 -0400 Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9367721850 for ; Fri, 10 May 2019 19:22:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557516167; bh=A5xalmmL8H1Iq8fxzTQYLZUEYrOLdpg9dk/dWsknQFI=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=0M9qAGAC0+oIV4vU1pOYOruimjxIP6xwN3M4zU10h4UPjIztj0OG/SpZtik8pMLt9 GDVz56oQ/ShGKiiIkHgo46c1UWx/bmxdxMhi2Ex6TH+6PlfJKb7xwrbG2R2hgWUs57 /t859446qfSlRWpK6BDlgEN29nRE0WIXUkSmwb0U= Received: by mail-wr1-f42.google.com with SMTP id s15so9007516wra.12 for ; Fri, 10 May 2019 12:22:47 -0700 (PDT) X-Gm-Message-State: APjAAAXt9gey7M0USZ/GmEzwUlIp5IuJU06Uf9rwArIqwKYJsCvLuPf5 BcWDvLHnoIXoMGUAErTFJVWQ6mZvRdhe5BQmEvwZ3g== X-Received: by 2002:adf:fb4a:: with SMTP id c10mr8719136wrs.309.1557516166095; Fri, 10 May 2019 12:22:46 -0700 (PDT) MIME-Version: 1.0 References: <20190417103938.7762-1-jarkko.sakkinen@linux.intel.com> <8c5133bc-1301-24ca-418d-7151a6eac0e2@fortanix.com> <2AE80EA3-799E-4808-BBE4-3872F425BCF8@amacapital.net> <49b28ca1-6e66-87d9-2202-84c58f13fb99@fortanix.com> <444537E3-4156-41FB-83CA-57C5B660523F@amacapital.net> <5854e66a-950e-1b12-5393-d9cdd15367dc@fortanix.com> <960B34DE67B9E140824F1DCDEC400C0F4E885F9D@ORSMSX116.amr.corp.intel.com> <979615a8-fd03-e3fd-fbdb-65c1e51afd93@fortanix.com> <8fe520bb-30bd-f246-a3d8-c5443e47a014@intel.com> <358e9b36-230f-eb18-efdb-b472be8438b4@fortanix.com> <960B34DE67B9E140824F1DCDEC400C0F4E886094@ORSMSX116.amr.corp.intel.com> <6da269d8-7ebb-4177-b6a7-50cc5b435cf4@fortanix.com> In-Reply-To: <6da269d8-7ebb-4177-b6a7-50cc5b435cf4@fortanix.com> From: Andy Lutomirski Date: Fri, 10 May 2019 12:22:34 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v20 00/28] Intel SGX1 support To: Jethro Beekman Cc: "Xing, Cedric" , "Hansen, Dave" , Andy Lutomirski , Thomas Gleixner , "Dr. Greg" , Jarkko Sakkinen , Linus Torvalds , LKML , X86 ML , "linux-sgx@vger.kernel.org" , Andrew Morton , "Christopherson, Sean J" , "nhorman@redhat.com" , "npmccallum@redhat.com" , "Ayoun, Serge" , "Katz-zamir, Shay" , "Huang, Haitao" , Andy Shevchenko , "Svahn, Kai" , Borislav Petkov , Josh Triplett , "Huang, Kai" , David Rientjes Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 10, 2019 at 12:04 PM Jethro Beekman wrote= : > > On 2019-05-10 11:56, Xing, Cedric wrote: > > Hi Jethro, > > > >> ELF files are explicitly designed such that you can map them (with mma= p) > >> in 4096-byte chunks. However, sometimes there's overlap and you will > >> sometimes see that a particular offset is mapped twice because the fir= st > >> half of the page in the file belongs to an RX range and the second hal= f > >> to an R-only range. Also, ELF files don't (normally) describe stack, > >> heap, etc. which you do need for enclaves. > > > > You have probably misread my email. By mmap(), I meant the enclave file= would be mapped via *multiple* mmap() calls, in the same way as what dlope= n() would do in loading regular shared object. The intention here is to mak= e the enclave file subject to the same checks as regular shared objects. > > No, I didn't misread your email. My original point still stands: > requiring that an enclave's memory is created from one or more mmap > calls of a file puts significant restrictions on the enclave's on-disk > representation. > For a tiny bit of background, Linux (AFAIK*) makes no effort to ensure the complete integrity of DSOs. What Linux *does* do (if so configured) is to make sure that only approved data is mapped executable. So, if you want to have some bytes be executable, those bytes have to come from a file that passes the relevant LSM and IMA checks. So we have two valid approaches, I think. Approach 1: we treat SGX exactly the same way and make it so that only bytes that pass the relevant checks can be mapped as code within an enclave. This imposes no particular restrictions on the file format -- we just need some API that takes an fd, an offset, and a length, and adds those bytes as code to an enclave. (It could also take a pointer and a length and make sure that the pointer points to executable memory -- same effect.) Approach 2: we decide that we want a stronger guarantee and that we *will* ensure the integrity of the enclave. This means: 2a) that we either need to load the entire thing from some approved file, and we commit to supporting one or more file formats. 2b) we need to check that the eventual enclave hash is approved. Or we could have a much shorter file that is just the hash and we check that. At its simplest, the file could be *only* the hash, and there could be an LSM callback to check it. In the future, if someone wants to allow enclaves to be embedded in DSOs, we could have a special ELF note or similar that contains an enclave hash or similar. 2c) same as 2b except that we expose the whole SIGSTRUCT, not just the hash= . Here are some pros and cons of various bits: 1 and 2a allow anti-virus software to scan the enclave code, and 2a allows it to scan the whole enclave. I don't know if this is actually imporant. 2a is by far the most complicated kernel implementation. 2b and 2c are almost file-format agnostic. 1 is completely file format agnostic but, in exchange, it's much weaker. 2b and 2c should solve most (but not all) of the launch control complaints that Dr. Greg cares about, in the sense that the LSM policy quite literally validates that the enclave is approved. As a straw man design, I propose the following, which is mostly 2c. The whole loading process works almost as in Jarkko's current driver, but the actual ioctl that triggers EINIT changes. When you issue the ioctl, you pass in an fd and the SIGSTRUCT is loaded and checked from the fd. The idea is that software that ships an enclave will ship a .sgxsig file that is literally a SIGSTRUCT for the enclave. With SELinux, that file gets labeled something like sgx_enclave_sigstruct_t. And we have the following extra twist: if you're calling the EADD ioctl to add *code* to the enclave, the driver checks that the code being loaded is mapped executable. This way existing code-signing policies don't get subverted, and policies that want to impose full verification on the enclave can do so by verifying the .sigstruct file. What do you all think? * It's certainly the case that Linux does not *succeed* at preserving the overall integrity of shared objects. If nothing else, you can freely mremap() them however you like. And you can jump into them wherever you like.